JeecgBoot API Key Unauthorized Disclosure Vulnerability

A vulnerability allowing unauthorized access to sensitive API key information has been identified in JeecgBoot versions through 3.9.1. This issue resides within the 'AiragModelController' component, specifically in the 'list' and 'queryById' endpoints, which lack proper access controls. The 'credential' field of the 'AiragModel' entity, which contains full API keys for various AI service providers, is exposed in the HTTP response without any serialization protection. This vulnerability can be exploited remotely by authenticated users with the default 'testonly' role.

Impact

Exploitation of this vulnerability leads to unauthorized access to sensitive API keys, which can be used to interact with third-party AI services on behalf of the user.

Reproduction

1. Use an account with the 'testonly' role to access the 'AiragModelController' endpoints. 2. The 'list' endpoint can be called to retrieve a list of AI models, including their credentials. 3. Alternatively, the 'queryById' endpoint can be used to access a specific AI model's details, which also includes the credential information.

Remediation

Users are advised to upgrade to JeecgBoot version 3.9.2, where this vulnerability has been addressed.